Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:805F2E7A-A864-4917-992A-DBE4465990FB
HistoryNov 06, 2017 - 12:00 a.m.

Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow

2017-11-0600:00:00
attackerkb.com
8

0.167 Low

EPSS

Percentile

96.1%

JSON

There is a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.

Recent assessments:

wchen-r7 at September 12, 2019 6:07pm UTC reported:

The stack overflow happens in sub_10004BC8:

.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
.text:10004BC8 sub_10004BC8    proc near               ;
.text:10004BC8                                         ;
.text:10004BC8
.text:10004BC8 lpWindowName    = dword ptr -818h
.text:10004BC8 hWnd            = dword ptr -814h
.text:10004BC8 lpClassName     = dword ptr -810h
.text:10004BC8 Args            = dword ptr -80Ch
.text:10004BC8 lpBaseAddress   = dword ptr -808h
.text:10004BC8 hFileMappingObject= dword ptr -804h
.text:10004BC8 Dest            = byte ptr -800h
.text:10004BC8 Format          = dword ptr  8
.text:10004BC8 arg_4           = byte ptr  0Ch
.text:10004BC8
.text:10004BC8                 push    ebp
.text:10004BC9                 mov     ebp, esp
.text:10004BCB                 sub     esp, 818h
.text:10004BD1                 mov     [ebp+lpWindowName], offset aDebugScreen1    ; "Debug Screen1"
.text:10004BDB                 mov     [ebp+lpClassName], offset aDebugwclass1     ; "debugWClass1"
.text:10004BE5                 lea     eax, [ebp+arg_4]
.text:10004BE8                 mov     [ebp+Args], eax
.text:10004BEE                 mov     ecx, [ebp+Args]
.text:10004BF4                 push    ecx                                         ; Args
.text:10004BF5                 mov     edx, [ebp+Format]
.text:10004BF8                 push    edx                                         ; Format
.text:10004BF9                 lea     eax, [ebp+Dest]
.text:10004BFF                 push    eax                                         ; Dest
.text:10004C00                 call    ds:vsprintf                                 ; overflow

The corresponding IDL is below:

[
 uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
 version(1.0)
]

interface target_interface
{

/* opcode: 0x01, address: 0x00401260 */

void sub_401260 (
 [in] handle_t  arg_1,
 [in] long  arg_2,
 [in] long  arg_3,
 [in] long  arg_4,
 [in][ref][size_is(arg_4)] char * arg_5,
 [out][ref] long * arg_6
);

}

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0

Related

packetstorm 1
zdi 1
zdt 1
checkpoint_advisories 1
prion 1
nvd 1
cvelist 1
cve 1
ics 1
threatpost 1
packetstorm
packetstorm
Advantech WebAccess 8.2 Stack Buffer Overflow
2017-12-13 00:00:00
zdi
zdi
Advantech WebAccess webvrpcs ViewDll1 Stack-based Buffer Overflow Remote Code Execution Vulnerability
2017-12-06 00:00:00
zdt
zdt
Advantech WebAccess 8.2 Stack Buffer Overflow Exploit
2017-12-14 00:00:00
checkpoint_advisories
checkpoint_advisories
Advantech WebAccess Buffer Overflow (CVE-2017-14016) - Ver2
2018-04-15 00:00:00
prion
prion
Stack overflow
2017-11-06 22:29:00
nvd
nvd
CVE-2017-14016
2017-11-06 22:29:00
cvelist
cvelist
CVE-2017-14016
2017-11-06 22:00:00
cve
cve
CVE-2017-14016
2017-11-06 22:29:00
ics
ics
Advantech WebAccess
2017-11-02 12:00:00
threatpost
threatpost
Siemens Update Patches SIMATIC PCS 7 Bug in Some Versions
2017-11-03 11:00:18

0.167 Low

EPSS

Percentile

96.1%

JSON
Related for AKB:805F2E7A-A864-4917-992A-DBE4465990FB
packetstorm1zdi1zdt1checkpoint_advisories1prion1nvd1cvelist1cve1ics1threatpost1